Malicious JetBrains Plugins Steal AI API Keys in Supply Chain Attack

At least 15 malicious plugins discovered on the JetBrains Marketplace have been stealing AI API keys from developers in a coordinated supply chain campaign that has accumulated close to 70,000 installations. Researchers at Aikido Security identified the operation, which spans seven vendor accounts and includes plugins posing as AI coding assistants, code-review tools, and Git utilities for services such as OpenAI, DeepSeek, and SiliconFlow. The first malicious packages were published in October 2025, with new variants continuing to appear as recently as June 10, 2026.

The plugins function as advertised but contain hidden code that exfiltrates any AI provider API key entered into their settings. When a developer clicks "Apply" after pasting a key, the credential is transmitted in plaintext over HTTP to a hardcoded command-and-control server at 39.107.60[.]51 via the endpoint hxxp://39.107.60[.]51/api/software/key. Notably, the campaign also includes a paid tier: after users pay a small fee through an in-plugin donation wall, the server responds with a working API key that the plugin uses for its model calls. Aikido theorizes the operators are harvesting free users' keys and redistributing them to paid subscribers, effectively monetizing stolen credentials. BleepingComputer independently confirmed that the DeepSeek AI Assist plugin (ord.cp.code.ai.kit) still contains the theft code and remained available for download at the time of writing.

Developers who have installed any of the 15 affected plugins should immediately rotate their API keys, audit billing for unexpected usage, and remove the packages from their JetBrains IDEs. Because the exfiltration occurs over unencrypted HTTP rather than HTTPS, network defenders can hunt for traffic to the known C2 IP using logs and egress monitoring. To assess whether credentials may have appeared in other exposures, developers can run an email breach checker on associated accounts, and verify that any endpoints handling sensitive credentials enforce proper encryption with an SSL/TLS checker. Plugin marketplaces remain a high-value target for attackers seeking trusted execution inside developer environments, making rigorous vetting of third-party IDE extensions an essential part of any secure software supply chain practice.